[Snort-users] Snort missing traffic...?

PJ-ML p.jones.ml at ...8985...
Thu May 8 11:59:18 EDT 2003


Bought a new Netgear 10 mb hub...Here is more info:

I ran "snort -v -i eth0" and saw that is does in fact see traffic like arp 
requests from other servers and I can see that snort sees POP3 traffic as 
well from the firewall to our mail server on another network...Stopped 
snort and it said it captured 911 out of 911 packets, dropping 0 packets.

Now, I run a scan using Cerebus CIS5.0.02 at the same time run "snort -v -i 
eth0...scan completes and I stop snort. I then see that snort analyzed 2705 
out of 3870 packets, dropping 1165 (30%) packets. Why? I have zero 
idea...SO. I am not sure what to do to get it to see the other traffic...

~PJ




>Thanks for that insight...I am thinking along the same lines that the hub, 
>Linksys Etherfast Workgroup Hub, is acting like a switch...it does see 
>some traffic but not all...very strange. Has anyone else seen something 
>like this?
>
>Here some more info that occurred to me.  It(IDS) will see traffic to 
>itself and other servers that are not behind the firewall...it misses 
>traffic that is destined for the IP addresses that are being protected by 
>the firewall...
>
>Router (10.25.1.1) - - - Hub - - - FTP(10.25.1.6)
>                         |
>                         |- - - IDS(10.25.1.3)
>                         |
>                         firewall(10.25.1.2, 10.25.1.5, 10.25.1.7)
>
>With that diagram, I see traffic and exploits that are for the IDS and FTP 
>and not any IPs on the firewall...
>
>~PJ
>
>
>
>
>At 11:49 AM 5/8/2003, Rich Adamson wrote:
>>Sounds like the hub is really a switch. Since you didn't mention what type
>>of device it is, I'll mention what we've seen as network consultants that
>>do this type of work all the time.  We happen to use a NetGear 4 port hub,
>>but have noticed (for this model only) that if one port is 10 meg and
>>another is 100 meg, it acts as a switch instead.
>>
>>We also have an older 3Com 10/100 24-port hub that does the same thing.
>>
>>Try running snort in sniffer mode from the command line, like...
>>  snort -v -n 30
>>and look at the packets to see if the server's address appears. If you
>>see the server sending broadcast packets, your hub is probably acting
>>as a switch. If you don't see the server at all (you can ping it from
>>another machine) then there is some other problem.
>>
>> >   I ran some exploits on the snort server and acid reported them. I 
>> ran the
>> > same exploits on a server in the same sub-net and acid does not report 
>> any
>> > of this. I looked at the alert file in /var/log/snort and nothing 
>> regarding
>> > the exploits run against the other server are there. I am confused. I
>> > specified my HOME_NET, for example 10.25.1.0/24... The snort server is
>> > 10.24.1.24 and the server I also ran exploits on is 10.25.1.20.
>> >
>> > The ethernet link to hub and to other parts of the network are all 100
>> > base. Could it be the speed of the server? Not sure where to go, I know
>> > that I must tune the server, but I do not know what to tune if it is not
>> > seeing even purposeful exploits...I will be more than happy  to give any
>> > more info that anyone requires to help me figure this out...except 
>> for  the
>> > root password to my machine ;-)





More information about the Snort-users mailing list